We have received a security report from a researcher on our Discourse-hosted instance. I went over it and some of the details are not clear to me, due to my lack of understanding of the platform.
I read the security guidelines, and it appears we need to submit it via HackerOne. The issue is I can either ask them to report directly, or do it myself (and possibly lose information in translation, given my knowledge gap).
Should I just forward the report to your email instead? In that case, I fear it might not be prioritized (you mention that in the guidelines).
Sorry about these questions, I am just trying to figure out what to do next. Thanks for your guidance, we love what you all do for us!
It’s almost certainly bogus. “Security Spam” is a big problem. But responding to them with “Oh, thanks very much! We’re very happy that you have found this serious issue. Please report it to Hacker One at your earliest convenience to get the money that you so rightly reserve.” is likely how to prove to your superiors that you’re doing your job while also shutting up the spammers.
Hah! I do think the report is legit. I would not have come here otherwise seeking advice.
In any case I understand the sentiment, I am the solo-devops person for our all our platforms and it does get annoying with some of these “beg-bounty” hunters. I share your frustration though.